The World Wide War: Analysing Whether Self-Defence Can be Used in Response to a Cyber-Attack

justcogens

6 months ago

Advertisements

By Eve Aycock

In a society characterised by the coexistence of cyberspace and reality, cyber-attacks pose an increasingly menacing risk. The contemporaneity of this threat is evidenced by the recent global Ransomware cyber-attack, which was unprecedented in scale.[1] The key legal question in ascertaining the lawfulness of self-defence in response to a cyber-attack is whether such an attack can be considered an “armed attack”.[2]

In detailing the legal framework determining a nation’s right to self-defence in the face of a cyber-attack, it is prudent to refer to the UN Charter. Article 2(4) Charter[3] stipulates the absolute prohibition on the threat or use of force in international relations;[4] a jus cogens norm.[5] An armed attack would fall under the Article 2(4) proviso of “use of force”.

However, self-defence is an exception to the prohibition on the use of force. This exception is embodied in both Article 51 of the UN Charter and customary international law.[6] Both Article 51 and the customary international law of self-defence concur that an armed attack triggers the right to self-defence.[7]

Two further conditions must be fulfilled for self-defence to be lawful: necessity and proportionality.[8] Necessity entails that there is no time to undertake non-forcible measures with a reasonable prospect of preventing the attack. Proportionality relates to how much force is allowed.[9]

In answering the question of whether a cyber-attack can constitute an “armed attack” triggering self-defence rights,[10] I will analyse three differing approaches.[11]

The instrument-based approach espouses that a cyber-attack alone is unlikely to constitute an armed attack; thus, a cyber-attack without use of military weapons would not trigger a state’s right to self-defence.[12] However, the instrument-based approach is incredibly archaic, as it disregards the fact that even if cyber-attacks do not deploy traditional military weapons, they nevertheless have the capacity to engender fatal consequences.[13]

Secondly, the target-based approach articulates that a cyber-attack may be categorised as an armed attack only if it targets an adequately important computer system, e.g. a critical national infrastructure system.[14] Consequently, under this approach a cyber-attack intending to disrupt such a system would fall within the meaning of an armed attack, enabling self-defence.[15]

Finally, the effects-based approach determines whether a cyber-attack is an armed attack based on the gravity of its effects.[16] For example, the 2010 US Stuxnet incident aimed at Iranian nuclear facilities purportedly caused substantial property damage. It was deduced that Stuxnet constituted an armed attack;[17] potentially indicating that self-defence could be used under this approach. However, it remains ambiguous which type of effects justify self-defence.[18] Whilst some advocates of this approach contend that the impact of a cyber-attack must involve kinetic violence, others find it important to consider the magnitude and immediacy of the attack.[19]

The extant law appears to prescribe that a cyber-attack not entailing a risk of death or injury cannot constitute an armed attack enabling forceful self-defence.[20] This is evidenced by the current state of affairs: no state has yet asserted that a cyber-attack comprised an armed attack triggering a right of self-defence under Article 51.[21] Nevertheless, it is widely accepted that an armed attack involves a use of force, which is determined by its gravity and effects rather than the instrument utilised.[22]

Therefore, the prevailing opinion is that a cyber-attack causing significant detriment can be classified as an armed attack for purposes of self-defence, signalling that the effects-based approach is the most accepted.[23]

Lastly, it is salient to scrutinise whether self-defence in response to a cyber-attack could fulfil the jus ad bellum principles of necessity and proportionality. The application of necessity and proportionality to state responses to cyber-attacks is somewhat challenging.[24] This is because in order to examine the necessity of self-defence, the attack must be attributed to a designated source, i.e. a state.[25] As the recent ‘WannaCry’ cyber-attack has shown,[26] it is normally extremely difficult to identify the attacker.[27] Concerning proportionality, a forceful defensive operation must be proportionate in that the extent and nature of a state’s response is restricted to ensuring that it is no longer the subject of attack.[28]

To conclude, in determining whether a cyber-attack would enable the exercise of self-defence, the cyber-attack must constitute an armed attack. The characterisation of a cyber-attack as an armed attack largely depends on the approach adopted. In my opinion, it is archaic to stipulate that a cyber-attack not causing death, injury, or even physical damage cannot constitute an armed attack. I maintain that a cyber-attack can be classified as an armed attack in various circumstances, and can therefore potentially trigger a state’s right to self-defence – even if the cyber-attack does not have violent consequences.

Ultimately, international law must evolve in accordance with the increasingly digitalised society that it governs. In order for this to transpire, there must be acknowledgement of the fact that cyber-attacks render it possible to cause considerable damage through non-destructive means.[29]

Eve Aycock is an exchange student at UWA. Originally from the Isle of Man, she is studying an LLB in International & European Law in the Netherlands. Eve is passionate about ornithology, extra mature cheddar cheese, and the deployment of the Oxford comma.

[6] Michael N. Schmitt, ‘Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defence, and Armed Conflicts’ in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (1st edn, National Academies Press 2010) 162.

[7] For a state to use force in self-defence, it must thus prove that it has been the victim of an armed attack. The idea that self-defence can only occur in response to an armed attack excludes the contested right to anticipatory or pre-emptive self-defence. Nicholas Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (2012) 17 Journal of Conflict and Security Law 229; Malcolm N. Shaw, International Law (7th edn, Cambridge University Press 2014) 825.